As organisations become more reliant on computer systems connected to the Internet, the opportunities to attack their computer systems increase. A criminal gang might, for example, command a “botnet” of computers infected by malware to perform a distributed denial-of-service attack. A government could arrange for a virus to be manually uploaded to a computer of a foreign company to gain access to and control of its network. An individual might embed malware on a website to cause a key-logger to be downloaded by an end user. The techniques involved in such attacks are constantly evolving and there is a constant battle between the attackers trying to exploit loopholes and those trying to stop them. Despite attempts to improve security and detection methods, intrusions and attacks are often discovered only after it is already too late. Even after an attack has been detected and analysed, it can be difficult to assess who is responsible for it or if the attacks can be linked to other similar attacks.
Comparing the malware code used in one attack to that used in another does not always provide much information about the identity or behavior of an attacker. Malware is often written specifically for its intended target, and there may be no discernable pattern linking two pieces of code even when written by the same author.
However, a cyber-attack will often require some form of connection to command and control servers or domains to enable the attacker to receive information from the infected machine(s) and, if required, send instructions to it. If a command and control server is located and identified, it can sometimes identify or provide clues as to who is behind a given attack.
In the case of an unsophisticated criminal gang controlling a botnet, it may be straightforward to identify the command and control servers and any associated domains. However, sophisticated entities such as government agencies are often far more effective at masking themselves and the servers and domains they use. In such a scenario, it can be difficult to extract any useful information to help to identify an attacker or link multiple attacks with a wider campaign.
Even if details of a command and control server and its associated domains are discovered, establishing which attacks are connected to it or if it is connected to other servers or domains is a time consuming manual task that consumes valuable resources that may be better deployed elsewhere.
US2014/0090059A1 describes a heuristic botnet detection method that involves monitoring network traffic to identify suspicious activity based on network traffic behaviour. However, in this method, threat detection and analysis occurs on an agent installed on an end-user's device and focuses on detecting whether malware is present on a particular machine so that it can be removed. It does not assist with higher level analysis of associating a particular piece of malware with a wider campaign or assist with reconstructing and identifying the links between the command and control servers and the malware they control.
US2012/0204264A1 describes a method and system for detecting botnets that rely on automatically reconstructing the command and control topology of a botnet through information obtained from a “trapped” sample of a botnet. However this method relies on acquiring a botnet sample (for example in a honeynet) before the botnet topology can be reconstructed. It is also not able to make any links between servers or domains outside of the command and control topology identified from the sample and is further not able to automatically analyse whether or not an arbitrary connection from an IP address is linked to a suspicious domain, a piece of malware, or an attack that is not part of the particular botnet being studied.
US 2013/0174256 A1 describes a method for detecting highly-distributed, stealth network attacks in which “visualization” of botnet nodes is achieved through an electronic map of the geographic locations of the botnet nodes. Again however, this method is not able to determine or analyse links outside of the particular botnet or attack being analysed.
U.S. Pat. No. 8,560,413B1 describes a method of visualisation of Internet nodes involved in distributed electronic crime in order to see patterns of actionable intelligence. The method focusses on using latency calculations between nodes to determine their geolocation after a network's topology has already been determined.
There is a need for an improved method of detecting and analysing coordinated cyber-attacks.